b'                           U.S. Department of Agriculture\n\n                              Office of Inspector General\n                               Financial & IT Operations\n\n\n\n\n                Audit Report\n\nFiscal Year 2007 \xe2\x80\x93 Office of the Chief Financial\n        Officer/National Finance Center\n           General Controls Review\n\n\n\n\n                                 Report No. 11401-26-FM\n                                        September 2007\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\nSeptember 27, 2007\n\n\nREPLY TO\nATTN OF:       11401-26-FM\n\nTO:            Charles R. Christopherson, Jr.\n               Chief Financial Officer\n               Office of the Chief Financial Officer\n\nTHROUGH: Kathleen A. Donaldson\n         Audit Liaison Officer\n         Office of the Chief Financial Officer\n\nFROM:          Robert W. Young             /s/\n               Assistant Inspector General\n                for Audit\n\nSUBJECT:       Fiscal Year 2007 \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center\n               General Controls Review\n\n\nThis report presents the results of our review of internal controls at the Office of the Chief\nFinancial Officer/National Finance Center (OCFO/NFC) for fiscal year 2007. The audit was\nconducted in accordance with Government Auditing Standards issued by the Comptroller\nGeneral of the United States and American Institute of Certified Public Accountants Professional\nStandards AU Sections 316, 319, and 324, as amended by applicable Statements on Auditing\nStandards (SAS), which are commonly referred to as a SAS 70 audit. While OCFO/NFC has\ncontinued to improve its internal controls, the report contains a qualified opinion because certain\ncontrol policies and procedures, as described in the report, had not consistently operated\neffectively from July 1, 2006, through June 30, 2007. As of August 30, 2007, OCFO/NFC had\ncorrected or was in the process of correcting the exceptions we identified.\n\nThe report describes weaknesses in OCFO/NFC internal control policies and procedures that\nmay be relevant to the internal control structure of OCFO/NFC customer agencies. However, the\naccuracy and reliability of the data processed by OCFO/NFC and the resultant reports ultimately\nrests with the customer agency and any accompanying compensating controls implemented by\nthe agency. The projections of any conclusions based on our audit findings to future periods are\nsubject to the risk that changes may alter the validity of such conclusions. This report is intended\nsolely for the management of OCFO/NFC, its customer agencies, and their auditors.\n\nWe appreciate the courtesies and cooperation extended to us during this review.\n\x0cExecutive Summary\nFiscal Year 2007 \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center General\nControls Review (Audit Report No. 11401-26-FM)\n\nResults in Brief      This report presents the results of our review of internal controls at the U.S.\n                      Department of Agriculture\xe2\x80\x99s Office of the Chief Financial Officer/National\n                      Finance Center (OCFO/NFC) for fiscal year 2007. While OCFO/NFC had\n                      continued to improve its internal controls, this report contains a qualified\n                      opinion because OCFO/NFC controls had not operated effectively to ensure\n                      that certain access control, awareness and training, audit and accountability,\n                      configuration management, contingency planning, and personnel security\n                      objectives were consistently achieved from July 1, 2006, through June 30,\n                      2007. As of August 30, 2007, OCFO/NFC had corrected or was in the\n                      process of correcting the exceptions identified. The results of our tests and\n                      corrective actions taken by OCFO/NFC are described in exhibit B.\n\n                      Our objectives were to perform procedures necessary to express opinions\n                      about whether (1) OCFO/NFC\xe2\x80\x99s description of controls in exhibit A presents\n                      fairly, in all material respects, the aspects of OCFO/NFC controls that may\n                      be relevant to a customer agency\xe2\x80\x99s internal control as it relates to an audit of\n                      financial statements; (2) the controls included and/or referenced were placed\n                      in operation and suitably designed to achieve the associated control\n                      objectives, if those controls were complied with satisfactorily, and customer\n                      agencies applied the controls specified in exhibit A; and (3) the controls we\n                      tested were operating with sufficient effectiveness to provide reasonable, but\n                      not absolute, assurance that the associated control objectives were achieved\n                      during the period from July 1, 2006, through June 30, 2007.\n\n                      Our audit disclosed that OCFO/NFC\xe2\x80\x99s description of controls presented\n                      fairly, in all material respects, the relevant aspects of OCFO/NFC controls.\n                      Also, in our opinion, the controls included and/or referenced in the\n                      description, as updated, were suitably designed to provide reasonable\n                      assurance that associated control objectives would be achieved if the\n                      described policies and procedures were complied with satisfactorily and\n                      customer agencies applied the controls specified in the OCFO/NFC\n                      description of controls.\n\nRecommendations\nIn Brief              OCFO/NFC corrected or was in the process of correcting the exceptions we\n                      identified. Consequently, we are not making additional recommendations.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                         Page i\n\x0cAbbreviations Used in This Report\n\n\nC&A                 certification and accreditation\nCOOP                Continuity of Operations Plan\nDRP                 Disaster Recovery Plan\nGESD                Government Employees Services Division\nGSS                 general support system\nHRMS                Human Resources Management Staff\nID                  identification\nISSO                Information System Security Office\nITSD                Information Technology Services Division\nNFC                 National Finance Center\nNIST                National Institute of Standards and Technology\nOCFO                Office of the Chief Financial Officer\nPMSO                Position Management System\nPSD                 Position Sensitivity Designation\nSETS                Security Entry and Tracking System\nSRM                 security requirements matrix\nSSP                 system security plans\nST&E                security test and evaluation\nUSDA                United States Department of Agriculture\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                               Page ii\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report .......................................................................................................ii\n\nReport of the Office of Inspector General ............................................................................................ 1\n\nExhibit A \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center Description of\n            Controls .............................................................................................................................. 3\nExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls .......................................... 20\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                                    Page iii\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\n\n\nReport of the Office of Inspector General\nTO:    Charles R. Christopherson, Jr.\n       Chief Financial Officer\n       Office of the Chief Financial Officer\n\nWe have examined the control objectives and techniques identified or referenced in exhibit A for the\nU.S. Department of Agriculture\xe2\x80\x99s Office of the Chief Financial Officer/National Finance Center\n(OCFO/NFC). Our examination included procedures to obtain reasonable assurance about whether (1)\nthe accompanying description presents fairly, in all material respects, the aspects of OCFO/NFC\ncontrols that may be relevant to a customer agency\xe2\x80\x99s internal control as it relates to the audit of\nfinancial statements; (2) the controls included or referenced in the description had been placed in\noperation as of June 30, 2007; and (3) such controls were suitably designed to achieve the associated\ncontrol objectives, if those controls were complied with satisfactorily and customer agencies applied\nthe controls specified in the OCFO/NFC description of controls. The control objectives were specified\nby the National Institute of Standards and Technology.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and standards issued by the American Institute of Certified\nPublic Accountants and included those procedures we considered necessary to obtain a reasonable\nbasis for rendering our opinion.\n\nOCFO/NFC continued to improve its internal controls. However, certain access control, awareness\nand training, audit and accountability, configuration management, contingency planning, and personnel\nsecurity objectives, as described in exhibit B, were not consistently achieved from July 1, 2006,\nthrough June 30, 2007. As of August 30, 2007, OCFO/NFC had corrected or was in the process of\ncorrecting the exceptions we identified.\n\nIn our opinion, OCFO/NFC\xe2\x80\x99s description of controls in exhibit A presents fairly, in all material\nrespects, the relevant aspects of OCFO/NFC controls that had been placed in operation as of June 30,\n2007. Also, in our opinion, the controls included and/or referenced in exhibit A, as updated, were\nsuitably designed to provide reasonable assurance that the related control objectives would be achieved\nif the described controls were complied with satisfactorily and customer agencies applied the controls\nspecified in the OCFO/NFC description of controls.\n\nIn addition, we performed tests to obtain evidence regarding the effectiveness of OCFO/NFC policies\nand procedures in meeting the controls included and/or referenced in exhibit A. The specific controls\nand the nature, timing, extent, and results of our tests are identified in exhibit B. This information has\n\n\nUSDA/OIG-A/11401-26-FM                                                                             Page 1\n\x0cbeen provided to customer agencies and their auditors to be taken into consideration, along with\ninformation about the internal control at customer agencies, when making assessments of control risk\nfor customer agencies. In our opinion, except for the matters referred to above, the controls we tested\nwere operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the\nassociated control objectives were achieved during the period from July 1, 2006, through June 30,\n2007.\n\nThe relative effectiveness and significance of specific controls at OCFO/NFC and their effect on\nassessments of control risk at customer agencies are dependent on their interaction with the controls\nand other factors present at individual customer agencies. We did not evaluate the effectiveness of\ncontrols at individual customer agencies.\n\nThe description of controls at OCFO/NFC is as of June 30, 2007, and information about tests of the\noperating effectiveness of specific controls covers the period from July 1, 2006, through June 30, 2007.\nAny projection of such information to the future is subject to the risk that, because of change, the\ndescription may no longer portray the controls in existence. The potential effectiveness of specific\ncontrols at OCFO/NFC is subject to inherent limitations and, accordingly, errors or fraud may occur\nand not be detected. Furthermore, the projections of any conclusions, based on our findings, to future\nperiods are subject to the risk that changes may alter the validity of such conclusions. Finally, the\naccuracy and reliability of data processed by OCFO/NFC and the resultant reports ultimately rests with\nthe customer agency and any compensating controls implemented by such agency.\n\nThis report is intended solely for the management of OCFO/NFC, its customer agencies, and their\nauditors.\n\n\n/s/\n\nRobert W. Young\nAssistant Inspector General\n for Audit\n\nAugust 30, 2007\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                           Page 2\n\x0cExhibit A          \xe2\x80\x93 Office of the Chief Financial Officer/National Finance Center\nDescription of Controls\n                                                                  Exhibit A \xe2\x80\x93 Page 1 of 17\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                           Page 3\n\x0cPages 4 through 19 are not being publicly released due to\n    the sensitive security information they contain.\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                    Exhibit B \xe2\x80\x93 Page 1 of 16\n\nThis exhibit describes the results of our tests of operating effectiveness for the Office of the Chief\nFinancial Officer/National Finance Center (OCFO/NFC) controls specified and/or referenced in exhibit\nA. It is intended to provide customer agencies with information about OCFO/NFC control structure\npolicies and procedures that may affect the processing of customer agency transactions and the\noperating effectiveness of the policies and procedures we tested. This report, when combined with an\nunderstanding and assessment of the internal control structure policies and procedures at customer\nagencies, is intended to assist customer agency auditors in (1) planning the audit of customer agency\nfinancial statements, and (2) in assessing control risk for assertions in customer agency financial\nstatements that may be affected by OCFO/NFC control structure policies and procedures.\n\nOur review was conducted through inquiry of key OCFO/NFC personnel, observation of activities,\nexamination of relevant documentation and procedures, and other tests of controls. We also followed\nup on known control weaknesses identified in prior Office of Inspector General audits. We performed\nsuch tests as we considered necessary to evaluate whether operating and control procedures established\nby OCFO/NFC and the extent of compliance with them were sufficient to provide reasonable, but not\nabsolute, assurance that the specified control objectives were achieved. Our testing was not intended\nto apply to any procedures not included in this exhibit or to procedures that may be in effect at\ncustomer agencies.\n\nThe following table presents the control objectives specified by the National Institute of Standards and\nTechnology (NIST) in Federal Information Processing Standards Publication 200, Minimum Security\nRequirements for Federal Information and Information Systems, issued March 2006, related control\nactivities established by OCFO/NFC, a description of our tests to determine if OCFO/NFC controls\nwere operating with sufficient effectiveness to achieve the specified control objectives, and the results\nof those tests.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                            Page 20\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                           Exhibit B \xe2\x80\x93 Page 2 of 16\n     CONTROL                           CONTROL\n                                                                      TESTS PERFORMED                       CONCLUSION\n     OBJECTIVE                        ACTIVITIES\n1. Access Control          For OCFO/NFC employees, the               We randomly selected 30 of       OCFO/NFC controls were\n                           network security policy states that       the 4,690 mainframe user         operating effectively to provide\n  Organizations must       individuals will be provided the least    identifications (ID) created     reasonable assurance that\n  limit information        amount of access (within a defined        from October 1, 2006,            access granted to user IDs\n  system access to         role) necessary to perform his/her job    through May 1, 2007, for         created during fiscal year 2007\n  authorized users,        and that access will be granted in        review to determine if the       was limited to that authorized,\n  processes acting on      accordance with OCFO/NFC                  accounts had been                inactive user IDs were\n  behalf of authorized     management directives regarding data      appropriately authorized and     disabled, mainframe security\n  users, or devices        security access and internal controls     the access granted had been      administrator activity was\n  (including other         for access to data and software. These    restricted to that authorized    documented and reviewed,\n  information systems)     management directives reiterate that      by a security officer.           unsuccessful log in attempts\n  and to the types of      OCFO/NFC employees will be                                                 were limited, and warning\n  transactions and         authorized access only to the             We randomly selected 30 of       banners were displayed.\n  functions that           resources needed to perform his/her       the 165 Government               However, OCFO/NFC controls\n  authorized users are     jobs and require separation of            Employees Services Division      had not operated effectively to\n  permitted to exercise.   functions to guard against personnel      (GESD) and Human                 consistently ensure that access\n                           having the opportunity to commit          Resources Management Staff       roles provided the least amount\n                           and/or conceal intentional or             (HRMS) access roles defined      of access necessary to perform\n                           unintentional alteration, or destroy      as of June 18, 2007, for         job functions or that modems\n                           data or software. The data security       review to determine if access    were properly protected before\n                           access policy also refers to the          had been authorized and          being placed in operation.\n                           OCFO/NFC role based security              appropriately restricted to\n                           access policy for users that have been    prevent users from having all    For access roles, we found that\n                           implemented into role-based security.     of the necessary authority or    3 of the 30 roles we reviewed\n                           Another OCFO/NFC management               information access to            provided update access to the\n                           directive requires access to highly       perform fraudulent activity      Position Management System\n                           controlled resources, such as             without collusion.               (PMSO) even though only read\n                           production data, special system                                            access had been authorized on\n                           software, special system and database     We reviewed access reports       the role SRM. This access also\n                           utilities, etc., to be limited to staff   that identified users with the   unintentionally caused the\n                           members with an ongoing need.             ability to update production     access provided to the 92\n                                                                     application configuration        GESD employees assigned\n                           The OCFO/NFC role based security          management libraries as of       these roles to violate separation\n                           access policy assigns responsibilities    May 2007.                        of duties principles because the\n                           and establishes procedures for                                             roles were authorized to\n                           requesting and maintaining role-          We reviewed access profiles      process transactions in the\n                           based access. Desk procedures             that provided access to          Entry, Processing, Inquiry and\n                           referred to by the role-based security    sensitive system libraries and   Corrections System and either\n                           directive specify procedures for          access reports that identified   the Special Payroll Processing\n                           adding and modifying access roles         staff members with access to     System, the System for Time\n                           based on the OCFO/NFC security            sensitive programs.              and Attendance, and/or the\n                           access form (NFC-1106) and a                                               Time & Attendance Online\n                           security requirements matrix (SRM)        We randomly selected 15 of       Suspense Correction and\n                           that is completed by the role owner       the 544 agency security          Document System. OCFO/NFC\n                           and approved by the appropriate           officers as of May 1, 2007,      removed this unauthorized\n                           resource owners. The OCFO/NFC             and reviewed access reports      access on August 29, 2007.\n                           security access form is also used to      that identified the\n                           add or remove users from access           administrative authorities       We also determined that one\n                           roles and delete access roles that are    assigned to agency security      GESD and four Information\n                           no longer needed. In addition, the        officers.                        Technology Services Division\n                           role-based security access procedures                                      (ITSD) access roles included\n                           contain requirements for reviewing                                         access to certain sensitive\n                           all users assigned to each role                                            programs that were not needed\n                           annually and all resources assigned to                                     to perform their job functions.\n                           each role every three years.                                               OCFO/NFC subsequently\n                                                                                                      removed this access.\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                     Page 21\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                  Exhibit B \xe2\x80\x93 Page 3 of 16\n     CONTROL                    CONTROL\n                                                              TESTS PERFORMED                      CONCLUSION\n     OBJECTIVE                 ACTIVITIES\n1. Access Control   For customer agency employees, the       We reviewed the logic for       We also determined that one\n   (continued)      customer agency is responsible for       the OCFO/NFC program that       ITSD role was permitted all\n                    designating personnel who are            disables inactive IDs and       access to application\n                    authorized to request user additions,    tested the logic using a        configuration management load\n                    deletions, and security level changes.   listing of user IDs as of May   and copy member libraries\n                    OCFO/NFC then grants authority to        1, 2007.                        even though this level of access\n                    access computer resources to                                             was not needed to perform the\n                    individual users at the request of the   We interviewed OCFO/NFC         job functions. This unnecessary\n                    customer agency security officer.        personnel, reviewed desk        access was removed.\n                    Customer agency security officers are    procedures, and obtained\n                    responsible for requesting access to     examples of reports used to     OCFO/NFC officials told us\n                    applications in a manner that employs    monitor administrative          that they are refining\n                    accepted separation of duty practices    actions processed by security   procedures for creating and\n                    within their agency and ensuring the     officers and others in the      maintaining roles and training\n                    level of access assigned to a user       mainframe environment.          new security developers/\n                    remains appropriate over time.                                           administrators. OCFO/NFC is\n                                                             We reviewed mainframe and       also verifying that SRMs are\n                    The OCFO/NFC network security            Windows system                  documented and appropriately\n                    policy also addresses suspending         documentation to determine      authorized, application access\n                    inactive user IDs, documenting and       if user IDs were locked after   is consistent with the SRM, and\n                    reviewing security administrator         three unsuccessful sign-on      other resources are appropriate\n                    activity, limiting unsuccessful log in   attempts.                       for the organization.\n                    attempts, displaying warning banners,\n                    and controlling remote access.           We logged on to the             We also determined that the 15\n                                                             OCFO/NFC mainframe              agency security officers we\n                                                             (directly and remotely) and     reviewed were granted an\n                                                             web-based applications          unnecessary administrative\n                                                             available from OCFO/NFC\xe2\x80\x99s       authority that could have\n                                                             public web site to determine    allowed agency security\n                                                             if a warning banner was         officers to assign user schema\n                                                             displayed.                      had they had additional access\n                                                                                             permissions. OCFO/NFC\n                                                             We obtained a listing of dial   removed this access.\n                                                             up connections at the interim\n                                                             computing facility and          For remote access, we found\n                                                             attempted to connect to these   that 3 of the 17 modems at the\n                                                             modems using a Windows          interim computing facility\n                                                             communication program           allowed connections without\n                                                             (HyperTerminal).                password protection. While\n                                                                                             these connections were\n                                                                                             allowed, additional passwords\n                                                                                             would have been required to\n                                                                                             access OCFO/NFC\n                                                                                             applications. In August 2007,\n                                                                                             we verified that one of these\n                                                                                             modems was disconnected and\n                                                                                             the other two were password-\n                                                                                             protected. OCFO/NFC told us\n                                                                                             they were in the process of\n                                                                                             updating procedures to ensure\n                                                                                             that security is addressed\n                                                                                             before modem lines are\n                                                                                             assigned.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                           Page 22\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                               Exhibit B \xe2\x80\x93 Page 4 of 16\n     CONTROL                               CONTROL\n                                                                           TESTS PERFORMED                      CONCLUSION\n     OBJECTIVE                            ACTIVITIES\n2. Awareness and Training     The OCFO/NFC Information Security           We randomly selected 15 of      OCFO/NFC procedures\n                              Program includes security awareness         the 55 employees hired          provided reasonable assurance\n  Organizations must (i)      training to notify users of information     between October 1, 2006,        that the Center provided\n  ensure that managers        systems that support the operations and     and March 26, 2007, and         quarterly security briefings that\n  and users of                assets of the agency of the information     requested the new employee      addressed OCFO/NFC-specific\n  organizational              security risks associated with their        security briefing for these     security responsibilities.\n  information systems are     activities and their responsibilities in    employees to determine if it    However, OCFO/NFC controls\n  made aware of the           complying with agency policies and          had been completed before       had not operated effectively to\n  security risks associated   procedures designed to reduce these         access was granted to           ensure that employees\n  with their activities and   risks. In this regard, the OCFO/NFC         OCFO/NFC computer               consistently completed the\n  of the applicable laws,     management directive for security           systems.                        OCFO/NFC New Employee\n  Executive Orders,           awareness training requires new                                             Security Briefing before they\n  directives, policies,       employees and contractor personnel to       We reviewed security            were given access to\n  standards, instructions,    attend the OCFO/NFC New Employee            awareness training records      OCFO/NFC computer systems\n  regulations, or             Security Briefing before they are given     and associated                  or all contractors completed\n  procedures related to the   access to OCFO/NFC computer                 documentation to determine      annual awareness training.\n  security of                 systems. OCFO/NFC updated its               if 44 OCFO/NFC contractors\n  organizational              procedures during our review to             who were issued badges in       For the new employee security\n  information systems;        require divisional security coordinators    December 2007 had               briefing, OCFO/NFC did not\n  and (ii) ensure that        to maintain the signed briefing and         completed annual basic          provide a signed security\n  organizational personnel    attach it to the security access form       security awareness training.    awareness briefing for 7 of the\n  are adequately trained to   (NFC-1106) when requesting access.                                          15 new employees we\n  carry out their assigned    For customer agency employees, the          We interviewed OCFO/NFC         reviewed. Consequently, we\n  information security-       user organization is responsible for        staff members and reviewed      could not determine whether\n  related duties and          ensuring users sign an agreement to         the quarterly security          access was granted before the\n  responsibilities.           abide by rules of behavior for              awareness briefings provided    briefing for these employees.\n                              accessing OCFO/NFC systems prior to         in December 2006 and            We also determined that user\n                              requesting access.                          March 2007. We also             IDs for two of the remaining\n                                                                          reviewed sign in sheets used    eight employees were created\n                              NFC also requires employees and             to document attendance at       before the employee received\n                              contractors to complete annual security     quarterly security briefings.   the security awareness briefing.\n                              awareness training that addresses basic                                     During our review, OCFO/NFC\n                              U.S. Department of Agriculture                                              updated its procedures to\n                              (USDA) computer security concepts                                           require divisional security\n                              and provides quarterly security                                             coordinators to maintain the\n                              briefings that address OCFO/NFC-                                            signed briefing and attach it\n                              specific security responsibilities.                                         when requesting access.\n\n                              For the basic security awareness                                            For annual security awareness\n                              training, division directors/staff chiefs                                   training, 33 of the 44\n                              are responsible for ensuring that all                                       contractors we reviewed had\n                              employees and contractor personnel in                                       taken the annual training as of\n                              his/her organization complete annual                                        June 30, 2007. OCFO/NFC\n                              security awareness training. The                                            officials told us that the\n                              OCFO/NFC training coordinator                                               remaining 11 contractors had\n                              provides reports to division                                                not completed the training\n                              coordinators to help them monitor                                           because they had not required\n                              completion rates for their                                                  contractors to sign up while\n                              organizations. USDA also provides                                           OCFO/NFC was updating the\n                              OCFO/NFC Cyber Security staff with                                          security awareness training\n                              a monthly IT security scorecard that                                        database (AgLearn).\n                              summarizes completion rates.                                                OCFO/NFC officials also told\n                                                                                                          us that they are working with\n                              The OCFO/NFC management                                                     AgLearn technical support to\n                              directive for individual development                                        enroll these contractors so they\n                              plans specifies a process for ensuring                                      can complete the required\n                              that employees receive the training                                         training.\n                              required to perform their job functions.\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                         Page 23\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                              Exhibit B \xe2\x80\x93 Page 5 of 16\n      CONTROL                              CONTROL\n                                                                            TESTS PERFORMED                     CONCLUSION\n      OBJECTIVE                           ACTIVITIES\n3. Audit and                  The OCFO/NFC network security                We interviewed NFC            OCFO/NFC controls were\n   Accountability             policy requires the following security       personnel. We also reviewed   operating effectively to provide\n                              events to be logged: all logons and log      system documentation,         reasonable assurance that\n  Organizations must (i)      offs, all failed logons, all lockouts and    configuration information,    mainframe audit records were\n  create, protect, and        unlocks, all server-based administrator      and access reports.           created and protected and the\n  retain information          activities, all unsuccessful attempts to                                   actions of information system\n  system audit records to     access information resources, and all                                      users could be traced.\n  the extent needed to        modifications to highly sensitive data                                     However, OCFO/NFC controls\n  enable the monitoring,      and resources. The network security                                        had not ensured that unusual\n  analysis, investigation,    policy also requires server-based                                          and/or inappropriate\n  and reporting of            administrator activities and                                               modifications to certain\n  unlawful, unauthorized,     modifications to highly sensitive data                                     sensitive system resources and\n  or inappropriate            and resources to be reviewed to                                            application configuration\n  information system          identify and investigate unusual and/or                                    management libraries would be\n  activity; and (ii) ensure   inappropriate modifications. In this                                       identified and investigated.\n  that the actions of         regard, OCFO/NFC had established an\n  individual information      oversight committee to make policy                                         For sensitive system resources,\n  system users can be         decisions related to OCFO/NFC\xe2\x80\x99s                                            OCFO/NFC had instituted a\n  uniquely traced to those    logging, auditing, and monitoring                                          tracking system to ensure that\n  users so they can be        program to ensure efficiency and                                           reports were reviewed,\n  held accountable for        compliance with Departmental and                                           expanded its definition of\n  their actions.              Federal regulations. In addition, the                                      critical security resources, and\n                              OCFO/NFC mainframe security plan                                           established a requirement to\n                              states that audit trails are configured to                                 produce and distribute reports\n                              support personal accountability by                                         that document access activity\n                              providing a trace of user actions and                                      associated with sensitive\n                              includes the following minimum                                             system resources that could\n                              requirements for audit trail records:                                      impact security regularly.\n                              date and time of event; source; type of                                    However, these processes had\n                              event; success or failure of event; and                                    not been fully implemented.\n                              name of program/file introduced,\n                              accessed, or deleted.                                                      As of June 30, 2007,\n                                                                                                         OCFO/NFC was regularly\n                                                                                                         reviewing monthly usage\n                                                                                                         reports for two programs\n                                                                                                         identified as critical system\n                                                                                                         resources in the mainframe\n                                                                                                         environment. In August 2007,\n                                                                                                         OCFO/NFC incorporated\n                                                                                                         reports that identified updates\n                                                                                                         to certain critical mainframe\n                                                                                                         data sets and usage of eight\n                                                                                                         additional sensitive programs\n                                                                                                         into its tracking system.\n                                                                                                         Monitoring reports for 21\n                                                                                                         programs added as critical\n                                                                                                         mainframe security resources\n                                                                                                         could not be produced because\n                                                                                                         these programs were not\n                                                                                                         protected by the mainframe\n                                                                                                         access control software.\n                                                                                                         OCFO/NFC officials told us\n                                                                                                         that they plan to refine the list\n                                                                                                         of sensitive programs; protect\n                                                                                                         these programs; and begin\n                                                                                                         distributing requested reports.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                         Page 24\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                                Exhibit B \xe2\x80\x93 Page 6 of 16\n    CONTROL                               CONTROL\n                                                                           TESTS PERFORMED                       CONCLUSION\n    OBJECTIVE                            ACTIVITIES\n3. Audit and                                                                                               However, this effort will not\n   Accountability                                                                                          begin until after the data\n   (continued)                                                                                             center relocation to the\n                                                                                                           primary computing facility.\n\n                                                                                                           For application configuration\n                                                                                                           management libraries,\n                                                                                                           OCFO/NFC had implemented\n                                                                                                           automated processes to\n                                                                                                           identify unusual and/or\n                                                                                                           suspicious access activity, but\n                                                                                                           certain production libraries\n                                                                                                           were not included in the\n                                                                                                           monitoring report as of June\n                                                                                                           30, 2007. In August 2007,\n                                                                                                           OCFO/NFC expanded the\n                                                                                                           monitoring report to include\n                                                                                                           the remaining production\n                                                                                                           configuration libraries.\n\n4. Certification,           OCFO/NFC certification and                    We interviewed OCFO/NFC          OCFO/NFC controls were\n   Accreditation, and       accreditation (C&A) procedures require        personnel and reviewed           operating effectively to\n   Security Assessments     an independent security test and              OCFO/NFC assessments,            provide reasonable assurance\n                            evaluation (ST&E) to determine the            along with system detail and     that the associated NIST\n  Organizations must        effectiveness of the security controls. The   task reports, documented in      controls would be achieved.\n  (i) periodically assess   designated approving authority decides        the Automated System\n  the security controls     whether or not to authorize the system for    Security Evaluation and\n  in organizational         processing based on the ST&E results          Remediation Tracking\n  information systems       and residual risk. This accreditation         system.\n  to determine if the       decision, along with the supporting\n  controls are effective    documentation and rationale, are included     We also reviewed\n  in their application;     in the final accreditation package.           OCFO/NFC general support\n  (ii) develop and          OCFO/NFC C&A procedures require               system test and evaluation\n  implement plans of        systems to be re-accredited every 3 years     reports, the tracking matrix\n  action designed to        or when significant changes occur.            that documented weaknesses\n  correct deficiencies      OCFO/NFC C&A procedures also                  identified and their\n  and reduce or             require agreements that specify security      resolution, and the\n  eliminate                 responsibilities for inter-agency or inter-   certification and\n  vulnerabilities in        department information system                 accreditation statements for\n  organizational            connections.                                  the OCFO/NFC general\n  information systems;                                                    support systems at its interim\n  (iii) authorize the       In addition, the OCFO/NFC Information         computing facility.\n  operation of              Security Program requires (1) testing and\n  organizational            evaluating the effectiveness of               In addition, we evaluated\n  information systems       information security policies, procedures,    interconnection security\n  and any associated        and practices at least annually; and (2)      agreements for 3 of the 15\n  information system        planning, implementing, evaluating, and       organizations with direct\n  connections; and (iv)     documenting remedial action to address        connections to the\n  monitor information       identified deficiencies. OCFO/NFC             OCFO/NFC interim\n  system security           division directors/staff chiefs are           computing facility.\n  controls on an            responsible for performing the security\n  ongoing basis to          control testing and preparing plans of\n  ensure the continued      action and milestones to remediate\n  effectiveness of the      deficiencies. In addition, OCFO/NFC\n  controls.                 Cyber Security staff is responsible for\n                            ensuring that security assessments are\n                            conducted and remedial action plans for\n                            security deficiencies are implemented.\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                          Page 25\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                            Exhibit B \xe2\x80\x93 Page 7 of 16\n    CONTROL                              CONTROL\n                                                                          TESTS PERFORMED                    CONCLUSION\n    OBJECTIVE                           ACTIVITIES\n5. Configuration           The OCFO/NFC general support system           For GSSs, we interviewed      OCFO/NFC controls were\n   Management (CM)         (GSS) configuration and change                NFC personnel and             operating effectively to\n                           management directive specifies policy,        reviewed system               provide reasonable assurance\n  Organizations must       responsibilities, and procedures for          documentation.                that changes to its\n  (i) establish and        managing the configuration of and                                           applications were authorized,\n  maintain baseline        controlling both emergency and routine        For applications, we          documented, and controlled.\n  configurations and       changes to the OCFO/NFC GSS, which            interviewed NFC personnel     However, OCFO/NFC had\n  inventories of           includes all hardware, firmware, system       and reviewed system           not yet performed planned\n  organizational           software, and supporting components           documentation. We also        annual reviews to ensure that\n  information systems      (cables, connectors, etc.) that make up the   randomly selected 15 of the   its component baseline was\n  (including hardware,     entire data center environment. This          217 mandated application      accurate and that all\n  software, firmware,      directive establishes requirements for:       change projects and 10 of     unnecessary functions, ports,\n  and documentation)                                                     the 26 emergency changes      protocols, services, etc., had\n  throughout the           \xe2\x80\xa2 Maintaining both an online                  that were implemented         been identified and\n  respective system          configuration management repository         between October 1, 2006,      eliminated.\n  development life           and an online change management             and April 30, 2007, for\n  cycles; and (ii)           system;                                     GESD mainframe                In February 2007,\n  establish and enforce    \xe2\x80\xa2 documenting, testing, approving,            applications and reviewed     OCFO/NFC had updated its\n  security configuration     validating, and specifying the              associated documentation      policies and procedures to\n  settings for               outcome of each change request;             for each of the selected      establish requirements for\n  information              \xe2\x80\xa2 ensuring that the configuration             changes.                      maintaining an online\n  technology products        repository is updated when changes                                        configuration management\n  employed in                are completed; and                                                        repository of GSS\n  organizational           \xe2\x80\xa2 performing an annual review to                                            components and conducting\n  information systems.       ensure that the information included                                      an annual configuration\n                             in the repository is accurate.                                            review to ensure that the GSS\n                                                                                                       configuration repository is\n                           NFC management directives also require                                      accurate and that all\n                           all services not needed for applications                                    unnecessary functions, ports,\n                           and basic administration of the server to                                   protocols, services, etc., are\n                           be turned off and an annual configuration                                   identified and eliminated.\n                           review of all OCFO/NFC GSS                                                  While OCFO/NFC had also\n                           components to ensure that all                                               established the Data Center\n                           unnecessary functions, ports, protocols,                                    Organizer as the official\n                           services, etc., are identified and                                          configuration management\n                           eliminated.                                                                 repository in February 2007,\n                                                                                                       the Center had not conducted\n                           For applications, OCFO/NFC uses library                                     a review to determine if the\n                           management software to maintain                                             information was accurate or to\n                           application baselines throughout the                                        ensure that only required\n                           system development lifecycle. The                                           functions, ports, protocols,\n                           OCFO/NFC management directive for                                           services, etc. were available\n                           scheduled software maintenance requires                                     on its GSS components.\n                           all changes to be documented on a                                           OCFO/NFC officials told us\n                           program change request form, tested                                         that they had purchased a tool\n                           according to development organization                                       that would allow them to\n                           guidelines, and approved prior to                                           automate this review and\n                           implementation. Once all approvals have                                     planned to implement the tool\n                           been received, either the library                                           after the data center relocated\n                           management software or OCFO/NFC                                             to its primary computing\n                           staff members independent of the                                            facility.\n                           application developers implement the\n                           proposed change.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                      Page 26\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                             Exhibit B \xe2\x80\x93 Page 8 of 16\n    CONTROL                                CONTROL\n                                                                            TESTS PERFORMED                   CONCLUSION\n    OBJECTIVE                             ACTIVITIES\n6. Contingency               The OCFO/NFC Information Security             We interviewed               OCFO/NFC controls were\n   Planning                  Program includes plans and procedures to      OCFO/NFC personnel. We       operating effectively to provide\n                             ensure continuity of operations for           also reviewed the            reasonable assurance that the\n  Organizations must         information systems that support the          OCFO/NFC COOP,               OCFO/NFC COOP and the\n  establish, maintain,       operations and assets of the agency.          OCFO/NFC DRP,                associated plan for recovering\n  and effectively            OCFO/NFC Cyber Security staff are             documentation associated     computer operations (DRP) had\n  implement plans for        responsible for ensuring that a Continuity    with OCFO/NFC DRP            been updated to reflect the\n  emergency response,        of Operations/Disaster Recovery               desktop reviews, and the     current operating environment\n  backup operations,         Program is implemented, maintained, and       results of a review of       and information system\n  and post-disaster          tested according to NIST guidance. In         information system           backups were created and\n  recovery for               addition, division directors/branch chiefs    backups at the NFC offsite   stored at an off-site facility.\n  organizational             are responsible for providing plans and       storage facility.            However, as of June 30, 2007,\n  information systems        procedures in coordination with                                            OCFO/NFC had not tested its\n  to ensure the              OCFO/NFC central recovery plan and                                         updated recovery procedures to\n  availability of critical   developing, testing, and maintaining                                       ensure that information system\n  information resources      continuity of operations plans for their                                   could be recovered from its\n  and continuity of          business units. In this regard, the                                        backups and reconstituted to a\n  operations in              OCFO/NFC Continuity of Operations                                          known secure state after a\n  emergency situations.      Plan (COOP) relies on the OCFO/NFC                                         disruption or failure.\n                             Disaster Recovery Plan (DRP) for\n                             recovery of the computer processing                                        In fiscal year 2006, we reported\n                             capability if an event impacts the interim                                 that OCFO/NFC had not yet\n                             computing facility and Business Unit                                       updated its procedures for\n                             Plans that are documented separately to                                    recovering computer operations\n                             restore the business aspects of critical                                   (DRP) to reflect changes that\n                             business unit functions.                                                   occurred with the move to the\n                                                                                                        interim computing facility or\n                             The OCFO/NFC COOP also states that                                         tested recovery of operations at\n                             OCFO/NFC conducts semi-annual tests                                        its new recovery operations\n                             (drills) at its recovery operations center                                 center. While OCFO/NFC had\n                             and alternate work sites to train and                                      updated its DRP based on\n                             exercise its business resumption                                           desktop reviews, the center had\n                             capabilities as well as its recovery                                       not tested recovery of computer\n                             capability. In addition, the OCFO/NFC                                      operations based on the\n                             COOP states that the Center\xe2\x80\x99s continuity                                   updated procedures as of June\n                             of operations plans should be updated to                                   30, 2007. OCFO/NFC\n                             reflect lessons learned during these tests.                                performed a disaster recovery\n                                                                                                        test where it used backup\n                             In addition, OCFO/NFC management                                           information from its interim\n                             directives require critical data on servers                                computing facility to recover\n                             to be backed up regularly. System                                          its systems at the primary\n                             administrators are responsible for                                         computing facility during the\n                             developing documented procedures for                                       week of July 29, 2007.\n                             backup and recovery of data on the                                         OCFO/NFC officials told us\n                             servers for which they are responsible.                                    that they plan to update the\n                             Critical application backups and                                           recovery plan and procedures\n                             operating system backups are tested at                                     based on these results and\n                             least annually as a part of the                                            perform an additional test in\n                             division/staff\xe2\x80\x99s disaster recovery drill to                                November when the backup\n                             ensure that such backups support                                           computing facility is\n                             network/workstation recovery and restore                                   established in New Orleans.\n                             procedures.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                      Page 27\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                         Exhibit B \xe2\x80\x93 Page 9 of 16\n     CONTROL                            CONTROL\n                                                                       TESTS PERFORMED                     CONCLUSION\n     OBJECTIVE                         ACTIVITIES\n7. Identification and      For OCFO/NFC employees, the                We interviewed                 OCFO/NFC controls were\n   Authentication          OCFO/NFC network security policy           OCFO/NFC personnel. We         operating effectively to\n                           states that user IDs and processes will    also reviewed a listing of     provide reasonable assurance\n  Organizations must       be identified to an individual, have a     user IDs and mainframe         that the associated NIST\n  identify information     password, and not be shared. This          password settings. In          controls would be achieved.\n  system users,            policy also states that if a process       addition, we accessed the\n  processes acting on      cannot be specifically tied to an          NFC mainframe and web-\n  behalf of users, or      individual, then the password lifetime     based applications available\n  devices and              will be issued for the period of the       from the NFC web site to\n  authenticate (or         session. In addition, the network          determine if NFC systems\n  verify) the identities   security policy requires initial           obscured feedback of\n  of those users,          passwords to be communicated in            authenticator information.\n  processes, or devices,   confidence and set to expire and force a\n  as a prerequisite to     new password selection on the user\xe2\x80\x99s\n  allowing access to       first sign-on to the system. Additional\n  organizational           desk procedures provide guidance on\n  information systems.     resetting passwords.\n\n                           The OCFO/NFC network security\n                           policy states that passwords should:\n\n                           \xe2\x80\xa2 Be at least six characters;\n                           \xe2\x80\xa2 consist of alphabetic and numeric\n                             characters;\n                           \xe2\x80\xa2 not be stored in clear text on any\n                             medium;\n                           \xe2\x80\xa2 not be the same as any of the five\n                             previous passwords;\n                           \xe2\x80\xa2 not be identical to the user\xe2\x80\x99s ID;\n                           \xe2\x80\xa2 be set to expire at least every 90\n                             days;\n                           \xe2\x80\xa2 be controlled via a restricted\n                             password list when possible; and\n                           \xe2\x80\xa2 be protected from eavesdropping\n                             during network transmissions.\n\n                           The network security policy also\n                           requires default passwords to be\n                           changed when the hardware or\n                           application is implemented. In addition,\n                           this policy states that whenever access\n                           is to be gained by remote methods,\n                           passwords will be supplemented with\n                           personal identification numbers, tokens,\n                           smart cards, or some other trusted\n                           authentication device or procedure.\n\n                           For customer agency employees, the\n                           customer agency is responsible for\n                           designating personnel (agency security\n                           officers) who are authorized to request\n                           user additions, deletions, and security\n                           level changes. Agency security officers\n                           are also responsible for ensuring the\n                           level of access assigned to a user\n                           remains appropriate over time.\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                  Page 28\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                         Exhibit B \xe2\x80\x93 Page 10 of 16\n    CONTROL                              CONTROL\n                                                                         TESTS PERFORMED                    CONCLUSION\n    OBJECTIVE                           ACTIVITIES\n8. Incident Response        The OCFO/NFC Information Security            We interviewed NFC           OCFO/NFC controls were\n                            Program includes procedures for              personnel and reviewed       operating effectively to\n   Organizations must       detecting, reporting, and responding to      the NFC Computer             provide reasonable assurance\n   (i) establish an         security incidents. In this regard, the      Incident Handling Guide,     that the associated NIST\n   operational incident     OCFO/NFC Computer Incident                   along with sign in sheets    controls would be achieved.\n   handling capability      Handling Guide establishes policy,           for incident response\n   for organizational       responsibilities, and procedures for         training that was provided\n   information systems      addressing computer security                 to ITSD Operations\n   that includes            incidents. These procedures address          Security Center staff\n   adequate preparation,    detecting potential incidents;               members.\n   detection, analysis,     documenting and analyzing the\n   containment,             potential incidents to determine if an\n   recovery, and user       incident has occurred and, if so, the\n   response activities;     appropriate steps regarding\n   and (ii) track,          containment, eradication and\n   document, and report     recovering from the incident; and\n   incidents to             documenting, tracking, and promptly\n   appropriate              reporting information security\n   organizational           incidents to the appropriate authorities.\n   officials and/or\n   authorities.\n9. Planning                The OCFO/NFC Information System              We interviewed NFC            OCFO/NFC controls were\n                           Security Program requires division           personnel and reviewed the    operating effectively to provide\n  Organizations must       directors/staff chiefs to prepare and        final system security plans   reasonable assurance that the\n  develop, document,       maintain system security plans (SSP)         for the NFC GSS\xe2\x80\x99              associated NIST controls\n  periodically update,     that provide adequate information            associated with               would be achieved.\n  and implement            security for system resources under their    payroll/personnel services,\n  security plans for       responsibility. In this regard,              along with the Security\n  organizational           OCFO/NFC certification and                   Access Manual provided to\n  information systems      accreditation procedures require the         agency security officers.\n  that describe the        existing SSP to be reviewed to ensure\n  security controls in     that it describes the most current system\n  place or planned for     configuration, specifies all security\n  the information          controls included in the system, and was\n  systems and the rules    prepared according to NIST guidance.\n  of behavior for          These procedures also require SSP\n  individuals accessing    updates when changes that impact\n  the information          security are implemented. In addition,\n  systems.                 USDA requires agency heads to submit\n                           system security plans and attest to their\n                           accuracy and completeness annually.\n\n                           In addition, the OCFO/NFC\n                           management directive for security\n                           awareness training requires new\n                           employees and contractor personnel to\n                           attend the OCFO/NFC New Employee\n                           Security Briefing, which includes rules\n                           of behavior, before they are given\n                           access to OCFO/NFC computer\n                           systems. For user organization\n                           employees, the user organization is\n                           responsible for ensuring users sign an\n                           agreement to abide by rules of behavior\n                           for accessing OCFO/NFC systems prior\n                           to requesting their access.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                     Page 29\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                           Exhibit B \xe2\x80\x93 Page 11 of 16\n    CONTROL                              CONTROL\n                                                                       TESTS PERFORMED                       CONCLUSION\n    OBJECTIVE                           ACTIVITIES\n10. Personnel Security      The OCFO/NFC personnel security           We interviewed                 OCFO/NFC controls were\n                            and suitability program directive,        OCFO/NFC personnel and         operating effectively to provide\n    Organizations must      which applies to all OCFO                 reviewed Security Entry        reasonable assurance that\n    (i) ensure that         employees, contractors, and               and Tracking System            organizational information\n    individuals             consultants located at OCFO/NFC,          (SETS) information as of       systems were protected when\n    occupying               requires all positions to be assigned a   May 29, 2007, along with       transfers occurred and to ensure\n    positions of            Position Sensitivity Designation          the results of OCFO/NFC\xe2\x80\x99s      that appropriate disciplinary\n    responsibility          (PSD) level in accordance with its        2006 PSD review.               actions would be taken if\n    within                  potential to have an adverse effect on                                   employees fail to comply with\n    organizations           the USDA mission and national             We randomly selected 15        information system user\n    (including third-       security and each person to undergo       of the 107 employee            responsibilities. While\n    party service           the appropriate type of personnel         transfers that occurred from   OCFO/NFC had improved its\n    providers) are          security investigation based on the       October 1, 2006, through       control processes, we found that\n    trustworthy and         position sensitivity or risk level        April 6, 2007, for review.     controls were not operating with\n    meet established        designation. This directive also          For each of the selected       sufficient effectiveness to ensure\n    security criteria for   requires each PSD to be reviewed          transfers, we reviewed the     that employee PSDs were\n    those positions; (ii)   when job responsibilities change or       transfer (NFC-1366) form       accurately reflected in SETS,\n    ensure that             every 2 years.                            and the access permissions     suitable personnel security\n    organizational                                                    associated with the            investigations were requested, or\n    information and         In addition, the OCFO/NFC                 transferred employee\xe2\x80\x99s user    separation forms were\n    information             management directive for completing       ID.                            consistently completed before\n    systems are             its separation (NFC-1267) and                                            employees separated.\n    protected during        transfer (NFC-1366) forms provides a      We randomly selected 15\n    and after personnel     means to ensure that organizational       of the 47 employee             For employee PSDs, even\n    actions such as         information systems are protected         separations that occurred      though OCFO/NFC had\n    terminations and        when terminations and transfers           from October 1, 2006,          instituted a quarterly PSD\n    transfers; and (iii)    occur.                                    through March 16, 2007.        review to help ensure that PSDs\n    employ formal                                                     For each of these              remain accurate, we determined\n    sanctions for           Furthermore, the OCFO/NFC                 separations, we reviewed       that SETS did not contain\n    personnel failing to    management directive specifying           the separation (NFC-1267)      accurate PSDs for more than 20\n    comply with             information system user                   form, a listing of             percent of the employees (7 of\n    organizational          responsibilities requires OCFO/NFC        mainframe user IDs, and        33) whose SETS PSD did not\n    security policies       managers to consult with the HRMS         Information System             match the results of the NFC\n    and procedures.         regarding the appropriate disciplinary    Security Office (ISSO)         PSD review. This occurred\n                            action to take against employees for      documentation to determine     because one division had not\n                            not complying with the                    when access was disabled.      performed its PSD review while\n                            responsibilities specified.                                              its security officer was\n                                                                                                     temporarily reassigned. While\n                                                                                                     the employees\xe2\x80\x99 background\n                                                                                                     investigations were suitable\n                                                                                                     based on the correct PSD,\n                                                                                                     OCFO/NFC had identified these\n                                                                                                     employees as needing higher\n                                                                                                     level background investigations.\n                                                                                                     To prevent this type of problem\n                                                                                                     from recurring, OCFO/NFC\n                                                                                                     officials told us that they plan to\n                                                                                                     begin requiring the security\n                                                                                                     officers to report the results of\n                                                                                                     their quarterly review even if no\n                                                                                                     changes are required.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                        Page 30\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                               Exhibit B \xe2\x80\x93 Page 12 of 16\n    CONTROL               CONTROL\n                                          TESTS PERFORMED         CONCLUSION\n    OBJECTIVE            ACTIVITIES\n10. Personnel Security                                      For personnel security\n    (continued)                                             investigations, we determined\n                                                            that the appropriate level of\n                                                            background investigation had\n                                                            not been requested for about 6\n                                                            percent of OCFO/NFC\n                                                            employees (55 of 847) in SETS\n                                                            as of May 29, 2007. While\n                                                            these employees had undergone\n                                                            the minimum required\n                                                            investigation for Federal\n                                                            employees, OCFO/NFC\n                                                            procedures required a more\n                                                            stringent investigation based on\n                                                            the employee\xe2\x80\x99s PSD.\n                                                            OCFO/NFC officials told us\n                                                            that they had performed a\n                                                            manual review of SETS\n                                                            information in March and April\n                                                            2007 to identify employees that\n                                                            did not have appropriate\n                                                            background investigations for\n                                                            their current PSD and were in\n                                                            the process of scheduling the\n                                                            needed investigations. This\n                                                            manual review occurred\n                                                            because SETS does not provide\n                                                            a reporting mechanism that\n                                                            allows users to easily identify\n                                                            employees with unsuitable\n                                                            investigations based on their\n                                                            current PSD. OCFO/NFC\n                                                            officials confirmed with a\n                                                            USDA Personnel and\n                                                            Document Security Division\n                                                            official that the new version of\n                                                            SETS, which is scheduled for\n                                                            implementation on or about\n                                                            November 2007, will include a\n                                                            report that should help\n                                                            organizations ensure that\n                                                            investigations are appropriate.\n                                                            In addition, OCFO/NFC\n                                                            officials told us that they plan\n                                                            to begin requiring an OPM\n                                                            worksheet to be submitted for\n                                                            PSD changes. These forms\n                                                            will be assigned a control\n                                                            number and forwarded to the\n                                                            appropriate organizations to\n                                                            ensure that the PSD change is\n                                                            made in PMSO and additional\n                                                            background investigation\n                                                            requirements are identified in a\n                                                            timely manner.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                          Page 31\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                               Exhibit B \xe2\x80\x93 Page 13 of 16\n    CONTROL               CONTROL\n                                          TESTS PERFORMED         CONCLUSION\n    OBJECTIVE            ACTIVITIES\n10. Personnel Security                                      As of August 24, 2007,\n    (continued)                                             OCFO/NFC had made\n                                                            corrections for about half (26\n                                                            of 55) of the unsuitable\n                                                            investigations we identified by\n                                                            either submitting requests to\n                                                            update background\n                                                            investigations or reclassifying\n                                                            PSDs to more accurately reflect\n                                                            the employee\xe2\x80\x99s duties.\n                                                            OCFO/NFC officials told us\n                                                            that they planned to provide\n                                                            additional education regarding\n                                                            PSDs and continue submitting\n                                                            requests to update background\n                                                            investigations for employees\n                                                            based on their correct PSDs.\n\n                                                            For separations, the\n                                                            OCFO/NFC separation form\n                                                            (NFC-1267) was not processed\n                                                            on or before the employee\xe2\x80\x99s\n                                                            separation date for 5 of the 15\n                                                            separated employees that we\n                                                            reviewed. In each of these\n                                                            cases, the employee\xe2\x80\x99s\n                                                            supervisor had not ensured that\n                                                            the form was completed and\n                                                            delivered to HRMS by the\n                                                            separation date. ISSO\n                                                            personnel processed these\n                                                            forms from 11 to 57 days after\n                                                            the actual separation date,\n                                                            which increases the risk of\n                                                            improper activity after\n                                                            separation. However, we\n                                                            verified that this control\n                                                            weakness had not resulted in\n                                                            improper mainframe activity.\n                                                            We also noted that four of these\n                                                            five instances occurred before\n                                                            OCFO/NFC updated its\n                                                            procedures in December to\n                                                            require the employee\xe2\x80\x99s\n                                                            immediate supervisor to ensure\n                                                            that the OCFO/NFC separation\n                                                            form is completed and\n                                                            delivered to HRMS no later\n                                                            than close of business on the\n                                                            effective date of the separation.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                           Page 32\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                           Exhibit B \xe2\x80\x93 Page 14 of 16\n    CONTROL                             CONTROL\n                                                                         TESTS PERFORMED                      CONCLUSION\n    OBJECTIVE                          ACTIVITIES\n11. Risk Assessment       The OCFO/NFC Information System               We interviewed NFC              OCFO/NFC controls were\n                          Security Program requires periodic            personnel and reviewed the      operating effectively to provide\n    Organizations must    assessments of the risk and magnitude of      final C&A documentation,        reasonable assurance that the\n    periodically assess   the harm that could result from the           including risk assessments,     associated NIST controls\n    the risk to           unauthorized access, use, disclosure,         for the NFC GSS\xe2\x80\x99 associated     would be achieved.\n    organizational        disruption, modification, or destruction of   with payroll/personnel\n    operations            information and information systems that      services.\n    (including mission,   support its operations and assets, and\n    functions, image,     tasks division directors/staff chiefs with    We also evaluated the NFC\n    or reputation),       ensuring that these risk assessments are      vulnerability scanning\n    organizational        prepared and maintained. In this regard,      process, including the\n    assets, and           OCFO/NFC C&A procedures require the           cumulative vulnerability\n    individuals,          risk assessment to contain a security         report as of June 21, 2007.\n    resulting from the    categorization based on the FIPS 199          In addition, we reviewed 8 of\n    operation of          guidance, to be reviewed to ensure that it    the 48 vulnerabilities that\n    organizational        identifies all apparent threats and           had been classified as either\n    information           vulnerabilities in the information            a false positive or an\n    systems and the       technology system and is consistent with      acceptable risk.\n    associated            the NIST guidance, and to be updated\n    processing,           each time there is a change to the security\n    storage, or           controls on the system that might affect\n    transmission of       the residual risk to the system.\n    organizational\n    information.          In addition, OCFO/NFC currently\n                          performs monthly scans to identify\n                          network vulnerabilities. The OCFO/NFC\n                          management directive for network\n                          vulnerability self assessments requires\n                          the identified vulnerabilities to be\n                          analyzed and eliminated or documented if\n                          the vulnerability is required for\n                          production processes. While the\n                          directive does not specify a timeframe for\n                          resolution, it requires approved action\n                          plans for vulnerabilities that are not\n                          resolved or documented within 45 days.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                       Page 33\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                    Exhibit B \xe2\x80\x93 Page 15 of 16\n    CONTROL                             CONTROL\n                                                                         TESTS PERFORMED               CONCLUSION\n    OBJECTIVE                          ACTIVITIES\n12. System and             The OCFO/NFC network connects its            We interviewed NFC       OCFO/NFC controls were\n    Communications         resources to the Internet, to the general    personnel and reviewed   operating effectively to provide\n    Protection             USDA network, to other US Government         system documentation,    reasonable assurance that the\n                           agencies, and to financial institutions.     including NFC firewall   associated NIST controls\n    Organizations must     The OCFO/NFC firewall policy                 rules.                   would be achieved.\n    (i) monitor,           establishes a requirement for a\n    control, and protect   demilitarized zone between the Internet\n    organizational         and OCFO/NFC\xe2\x80\x99s internal network to\n    communications         support applications that require publicly\n    (i.e., information     accessible network servers. The\n    transmitted or         demilitarized zone is protected by\n    received by            firewalls on both sides. The OCFO/NFC\n    organizational         firewall policy also requires all direct\n    information            connections to the Internet or other\n    systems) at the        networks to occur through an\n    external boundaries    OCFO/NFC managed firewall that denies\n    and key internal       all inbound and outbound protocols\n    boundaries of the      unless specifically permitted and\n    information            identifies the source and destination for\n    systems; and (ii)      each protocol.\n    employ\n    architectural          NFC procedures for connecting laptop\n    designs, software      computers and other devices to the\n    development            OCFO/NFC network prohibit employees\n    techniques, and        from connecting devices to the network\n    systems                without approval. If approved,\n    engineering            OCFO/NFC ensures that the device is\n    principles that        appropriately protected before connecting\n    promote effective      it to the network.\n    information\n    security within\n    organizational\n    information\n    systems.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                Page 34\n\x0cExhibit B \xe2\x80\x93 Office of Inspector General - Review of Selected Controls\n                                                                                                            Exhibit B \xe2\x80\x93 Page 16 of 16\n    CONTROL                             CONTROL\n    OBJECTIVE                          ACTIVITIES                      TESTS PERFORMED                       CONCLUSION\n13. System and              NFC management directives and             We interviewed NFC              OCFO/NFC controls were\n    Information             other guidance establish policy,          personnel and reviewed          operating effectively to provide\n    Integrity               responsibilities, and procedures for      system configuration            reasonable assurance that the\n                            reviewing advisory alerts and             information. We also            associated NIST controls would\n    Organizations must      implementing network system               evaluated the NFC               be achieved.\n    (i) identify, report,   security patches required for             vulnerability scanning\n    and correct             OCFO/NFC systems, requiring the           process, including the\n    information and         use of anti-virus software, and           cumulative vulnerability\n    information system      prohibiting users from installing         report as of June 21, 2007.\n    flaws in a timely       unauthorized software on their            In addition, we reviewed 8\n    manner; (ii)            computers.                                of the 48 vulnerabilities\n    provide protection                                                that had been classified as\n    from malicious          The OCFO/NFC management                   either a false positive or an\n    code at appropriate     directive for network vulnerability       acceptable risk.\n    locations within        self assessments also requires\n    organizational          vulnerability scans to be performed at\n    information             least quarterly and states that\n    systems; and (iii)      identified network vulnerabilities will\n    monitor                 be analyzed and eliminated or\n    information system      documented if the vulnerability is\n    security alerts and     required for production processes.\n    advisories and take     While the directive does not specify a\n    appropriate actions     timeframe for resolution, it requires\n    in response.            action plans to be documented and\n                            approved for vulnerabilities that are\n                            not resolved or documented within 45\n                            days.\n\n                            In addition, OCFO/NFC network\n                            security policy states that the Center\n                            will develop and administer an\n                            intrusion detection program to reduce\n                            the risk of unauthorized access or\n                            hostile activity.\n\n\n\n\nUSDA/OIG-A/11401-26-FM                                                                                                       Page 35\n\x0c'